portable-executable

问题 Basically I need a program that will sort windows .exe's from the console counterparts. A file scanner: SortExe(file exe) { if (IsPeWindows(exe)) { AddToList1(exe); } else if (IsPeConsole()) { AddToList2(exe); } } How do I implement IsPeWindows or IsPeConsole() ? I do not particularly mind what language solutions come in so long as it's one of c, c++, c# or visual basic. 回答1: Pass SHGFI_EXETYPE to SHGetFileInfo() & examine the hi/loword of the return value as explained in the link. 来源： https:

问题 I want to print information about IMAGE_EXPORT_DIRECTORY in the following form: <Name1>,<Ordinal1>,<FileAddress1> I know that this IMAGE consists of 3 arrays: AddressOfFunctions - (Export address table, each element is an RVA) AddressOfNames - (Export Name Pointer table, also each element is an RVA - ordered ?) AddressOfNameOrdinals (where the element of the array - Base represents an ordinal in the EAT) But how can i access those tables in order to print information for each element in one

问题 The above is the complete list of MS-DOS header fields, but I don't know which of them are mandatory and which are optional, does anyone know? 回答1: If you're trying to create PE Image, e_magic (Magic number) and elfanew (File address of new exe header) are the only mandatory fields that you have to fill in. elfanew should point to the PE IMAGE_NT_HEADER structure. 回答2: Well back in 2006 someone wanted to create the world most tiny PE. For this he wrote a small PE Fuzzer. With the smallest

问题 this is my first post and I am stuck here. I am currently working on my project and I have a problem, I am getting the baseaddress of my own module and read the process memory to get the IMAGE_DOS_HEADER in runtime then I continue adding e_lanew from the IMAGE_DOS_HEADER struct on the BaseAddress to get the IMAGE_NT_HEADER . Finally, I check the NT Signature if it's valid, and it seems to be. So reading the PE of my own process worked I guess ... I am trying to read TimeDateStamp and this

问题 I am writing my own little user mode debugger for fun. I know that the entry point specified in the PE header is not the programs defined main() (as far as microsoft c++ runtime is concerned anyway) Where can I find some documentation on the calls that take place between this entry point, up until the actual main() function, and why they are called, and what they do? 回答1: You can't. In fact main may not exist. E.g: you can override the default CRT entry point used by the linker, the main can

问题 After adding the /TSAWARE linker flag to one of my projects (Visual Studio 6), I was surprised to find a new section in the PE file (.idata). If I don't set the flag, the imports are merged into .rdata. To illustrate the "problem" we start out with a simple console program: #include <stdio.h> int main() { printf("hello world\n"); return 0; } and compile with: cl /Og /O1 /GF /WX /c main.c Then link with link /MACHINE:IX86 /SUBSYSTEM:CONSOLE /RELEASE /OUT:a.exe main.obj link /MACHINE:IX86

问题 Looking at kernel32.dll as it is loaded into memory, I see the following export ordinal table: (gdb) x /400hd $eax 0x776334b0 <Wow64Transition+71576>: 3 4 5 6 7 8 9 10 0x776334c0 <Wow64Transition+71592>: 11 12 13 14 15 16 17 18 0x776334d0 <Wow64Transition+71608>: 19 20 21 22 23 24 25 26 0x776334e0 <Wow64Transition+71624>: 27 28 29 30 31 32 33 34 0x776334f0 <Wow64Transition+71640>: 35 36 37 38 39 40 41 42 0x77633500 <Wow64Transition+71656>: 43 44 45 46 47 48 49 50 0x77633510 <Wow64Transition

问题 The sections of Portable Executable files are tagged with differents flags. Can someone explain the difference between IMAGE_SCN_MEM_EXECUTE (the section can be executed as code) and IMAGE_SCN_CNT_CODE (the section contains executable code)? Thanks. 回答1: IMAGE_SCN_MEM_EXECUTE is the one that is actually used by the PE loader to set up page permissions. IMAGE_SCN_CNT_CODE is not used, I guess it's just a descriptive flag. 来源： https://stackoverflow.com/questions/3912129/executable-sections-flag

问题 How can I statically tell Visual C++ to place a global variable at a given absolute address in memory, like what __attribute__((at(address))) does? 回答1: It can be done but I don't believe there is a predefined way to do it so it will take some experimentation. Even though I don't see much benefit if you create your variable at run time just at the start of user code execution. So first specify the section/segment where to init your variable using the allocate MS specific specifier. Then

问题 Can anyone explain me how to properly obtain a function address from a PE image and then call that function with a delegate? I found a good piece code googling around that loads exports from a DLL library, but it only get function names out of it... so I modified it as follows: [DllImport("ImageHlp", CallingConvention = CallingConvention.Winapi), SuppressUnmanagedCodeSecurity] public static extern bool MapAndLoad(string imageName, string dllPath, out LOADED_IMAGE loadedImage, bool dotDll,